[Bro] Bro-ids dpd offline analysis
Robin Sommer
robin at icir.org
Wed Dec 6 09:38:47 PST 2006
On Wed, Dec 06, 2006 at 16:47 +0800, CS Lee wrote:
> I'm wondering are there any examples showing how to use bro with all the
> argument options, I found it kinda confusing especially for people who new
Sorry, the shipped documentation is all we have in this regard at
this time. Yeah, having some more examples would certainly by nice.
> I tried to load all this to mt.bro, and running -
>
> bro -r test.pcap mt
That's almost correct except for one missing piece: for DPD you need
to set the capture-filter to include packets on non-standard ports,
e.g., "bro -f tcp -r test.pcap mt" to include all TCP packets. (This
is not different from live analysis which requires this too.)
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list